AEPD - PS-00079-2020

From GDPRhub
AEPD - PS-00079-2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Article 83(5)(a) GDPR
72 (1) (b) LOPDPGDD
64 (f) LPACAP
Type: Investigation
Outcome: Violation Found
Decided: 07.09.2020
Published: n/a
Fine: 60000 EUR
Parties: G.L.P. INSTALACIONES 86, S.L.
National Case Number/Name: PS-00079-2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Francesc Julve Falcó

The Spanish DPA imposed a sanction of EUR 60,000 on an air conditioning installation company for having processed personal data without having the legal basis to do so.

English Summary[edit | edit source]

Facts[edit | edit source]

The complainant stated that he called the number Naturgy's commercial attention telephone number to ask for a price estimate for the air conditioning installation in their home, they took their data and he was told that he would be contacted shortly by the company collaborator of Naturgy.

He was contacted by two companies and both presented themselves as Naturgy partners. It is recorded in the file that the company chosen by the claimant was G.L.P. Instalaciones 86, S.L. As he had numerous problems with G.L.P. Instalaciones 86, S.L. because of the installation, he complained to Naturgy, and their answer was that they had not sent him and that he was not their authorized installer.

Naturgy declared to the Spanish DPA that the claimed entity is not a collaborating company of this company and, Therefore Naturgy did not communicate any customer data to it.

Therefore, it is not known how the respondent obtained the data of the complaining consumer.

Dispute[edit | edit source]

The processing of personal data by a company without being legally entitled to do so can be considered an infringement of Article 6 (1) GDPR?

Holding[edit | edit source]

The Spanish DPA held that the documentation in the file provides evidence that the claimed company violated Article 6 (1) GDPR, since it processed the personal data of the claimant (name, surname, NIF, telephone number, correspondence address, address of the object of the contract, bank account, email), without a legal basis for the processing of the claimant's data.


In this case, it was taken into account as an aggravating factor that there has been no cooperation by the complainant with the agency in order to remedy the infringement and mitigate its defects and that basic personal identifiers, as set out in Articles 83(2)(f) GDPR and 83(2)(g) GDPR, are affected.

In addition, the annual turnover of the company complained of was considered to be a mitigating factor, as set out in Articles 83(2)(k) GDPR and 76(2)(c) LOPDGDD.

In summary, the Spanish DPA agreed to impose a fine of EUR 60,000 on G.L.P. Instalaciones 86, S.L.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

Procedure No.: PS/00079/2020
938-300320
RESOLUTION OF SANCTIONING PROCEDURE
From the procedure instructed by the Spanish Data Protection Agency and based on the following:
BACKGROUND
FIRST: D. A.A.A. (hereinafter the complainant) dated 27 October 2019 filed a complaint with the Spanish Data Protection Agency.
The claim is directed against G.L.P. Instalaciones 86, S.L., with NIF B66161126 (hereinafter the claimed).
The complainant states that on 28 June 2019 he called the number Naturgy's commercial attention telephone number to ask for a budget for the air conditioning installation in their home, they took their
data and he was told that he would be contacted shortly by the company collaborator of Naturgy.
Thus, he was contacted by two companies and both were presented as collaborators of Naturgy.
Having numerous problems with the claimed installation, he interposed a complaint to Naturgy, his response was that they had not sent him and that they were an approved installer of his.
In view of the above, he does not know how the company obtained his personal data.

SECOND: In accordance with the provisions of Article 65.4 of the LOPGDD, which has provided for a machine prior to the admission of complaints that are to the SPEA, consisting of transferring them to the Protection Delegates of Data designated by the persons responsible for or in charge of the processing, for the purposes provided for in Article 37 of the said regulation, or to them when there are no designated, the claim was transferred to the entity being challenged under the file E/11288/2019, by a letter signed on 27 November 2019 for to carry out its analysis and to respond to the complainant and to this Agency within one month.
The letter was notified to the defendant electronically with the date of acceptance of the notification on the same day, as evidenced by the certificate issued by the FNMT on file.
Once the period granted to the defendant has elapsed without her having responded to the request for information, in accordance with Article 65.2 of the Law Organic 3/2018, on Data Protection and Guarantee of Digital Rights (LOPDGDD), on 03/03/2020, the agreement on admission to the present complaint. 

THIRD: On 8 June 2020, the Director of the Spanish Agency for Data Protection agreed to initiate sanctioning proceedings against G.L.P. Instalaciones 86, S.L., by virtue of the powers established in art. 58.2 of the RGPD and in articles 47, 64.2 and 68.1 of the Organic Law 3/2018 of 5 December on Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), by infringement of Article 6.1 of the GPRS, as defined in Article 83.5(a) of the GPRS and considered very serious in 72.1.b), for prescription purposes, setting a sanction
60,000 (sixty thousand euros). 

FOURTH: The Agreement on the Initiation of Sanctioning Procedures was notified to the claimed electronically with the date of availability being 9 June 2020 and the date of automatic rejection on the 20th of the same month and year, as certifies the certificate issued by the FNMT on file.
 FIFTH: Formal notification of the agreement to begin, the claim at the time of this resolution has not submitted any written submissions, so it is an application of the provisions of Article 64 of Law 39/2015 of 1 October on the Common Administrative Procedure for Public Administrations, which in its paragraph (f) provides that in the event of failure to make representations within the prescribed period on the content of the initiating agreement, it may be considered as a proposal for resolution when it contains a precise statement of liability 
The Court of First Instance shall give its decision in accordance with the procedure laid down in Article 251 of the Treaty.
In view of the foregoing, the Spanish Protection Agency
The following are considered to be proven facts in these proceedings:

PROVEN FACTS

FIRST: It is recorded that the complainant, on June 28, 2019, called the number commercial attention of the entity Naturgy to ask for budget, took their data and he was contacted by two companies and both presented themselves as collaborators of Naturgy. It is recorded in the file that the company that chose the claimant was G.L.P. Instalaciones 86, S.L. Having had numerous problems with G.L.P. Instalaciones 86, S.L. due to the installation, filed a complaint with Naturgy, his response was that they did not had sent and that he was not an authorised installer of theirs.

SECOND: On 27th December 2019, Naturgy states to this Agency that the claimed entity is not a collaborating company of this company and by So Naturgy did not communicate any customer data to it.

THIRD: On 8 June 2020, this sanctioning procedure was initiated by the infringement of Article 6.1 of the RGPD (lawfulness of processing), being notified on 20 of the same month and year. Not having made any allegations, the defendant, to the agreement of start. 

LEGAL FOUNDATIONS

I
By virtue of the powers conferred on each of the parties by Article 58(2) of the GPRS authority, and in accordance with the provisions of Articles 47 and 48.1 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to resolve this procedure.

II
Article 5 of the General Data Protection Regulation deals with principles governing the processing of personal data and mentions among them that of "legality, loyalty, and transparency". The precept states:
"1. Personal data shall be: 
a) Processed in a lawful, loyal, and transparent manner with the data subject;".

Article 6 of the RGPD, "Lawfulness of processing", details in paragraph 1 the cases in which the processing of third party data is considered lawful:
"1. Processing is only lawful if it complies with at least one of the following conditions:
a) the data subject has given his consent to the processing of his data for one or more specific purposes;
(b) processing is necessary for the performance of a contract in which the interested is a party to or for the application at his request of measures pre-contractual; 
(…)”

The violation of article 6.1 of the RGPD is typified in article 83 of the RGPD which, under the heading "General conditions for the imposition of fines administrative", he points out:
“5. Infringements of the following provisions will be sanctioned, in accordance with paragraph 2, with administrative fines of up to 20,000,000 Eur or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual turnover for the previous financial year, opting for the largest:
(a) The basic principles for treatment, including the conditions for consent under articles 5, 6, 7, and 9.
Organic Law 3/2018, on the Protection of Personal Data and the Guarantee of Digital Rights (LOPDGDD) in its article 72.1.b) qualifies this infraction, for the purposes prescription, as a very serious infringement.
The documentation in the file provides evidence that the claimed person violated Article 6.1 of the RGPD, since he processed the personal data of the claimant (name, surname, NIF, telephone number, address of correspondence, address of the object of the contract, bank account, email), without having legal
processing of the claimant's data.

It should be recalled that Article 5 of the RGPD, after referring in its paragraph 1 to the principles relating to the processing of personal data - including, as The Court of Justice has noted in the previous Statement of Grounds that "legality" is a requirement, as it says in paragraph 2: 
"The controller shall be responsible for compliance with the provided for in paragraph 1 and capable of demonstrating it (<<proactive responsibility>>)" well, with regard to the facts which are the subject of this complaint, we must emphasize that despite repeated requests from the AEPD to explain the facts on which it is based, never answered nor provided any evidence to suggest that the processing of the data of the claimant had been legitimate.
In this regard, we refer to the request for information that the AEPD addressed the respondent in the framework of E/11288/2019. The request, the receipt of which by the latter it is proven (certificate issued by the FNMT) that it took place on 27 November of 2019.
However, no reply was received and on 3 March this year the admission of the claim was agreed.
Reminder that, limited to the violation of article 6.1. of the RGPD, has in order to show that the respondent has had ample opportunity to provide evidence or documents to prove that, contrary to the statements and documentary evidence provided by the claimant, the processing of the data which is the subject of the assessment in the present case has been lawfully adjusted.
The lack of diligence shown by the entity in complying with the obligations imposed by personal data protection regulation is therefore obvious. Diligent compliance with the principle of the lawfulness of the processing of third party data requires that the data controller is in a position to prove it (principle of proactive responsibility).
In short, there is evidence in the file that the respondent dealt with the personal data of the claimant without legitimization. The conduct described violates article 6.1. of the RGPD and is subsumable in the sanctioning type of the article 83.5.a, of the RGPD.

III
In order to determine the administrative fine to be imposed, the provisions of Articles 83.1 and 83.2 of the RGPD must be observed, which state "Each supervisory authority shall ensure that the imposition of fines
administrative offences under this Article for infringements of this Regulation referred to in paragraphs 4, 9 and 6 are on a case-by-case basis effective, proportionate and dissuasive".
"Administrative fines will be imposed, depending on the circumstances of each individual case, in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and (j) In deciding to impose a fine
and its amount in each individual case will be duly taken into account:
(a) the nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation concerned as well as the number of stakeholders affected and the level of damage and damages they have suffered;
(b) the intentionality or negligence of the infringement;
(c) any measure taken by the controller or processor
to mitigate the damages suffered by those concerned;
(d) the degree of responsibility of the person responsible for or in charge of treatment, taking into account any technical or organisational measures that have applied under Articles 25 and 32;
(e) any previous infringement committed by the person responsible for or in charge of treatment;
 (f) the degree of cooperation with the supervisory authority in order to put remedy the infringement and mitigate the possible adverse effects of the infringement;
(g) the categories of personal data affected by the infringement;
(h) the way in which the supervisory authority became aware of the infringement,
in particular whether the person responsible or the person in charge notified the infringement and, in that
case, to what extent;
(i) where the measures referred to in Article 58(2) have been ordered in advance against the person responsible or the person in charge in relation to the same matter, compliance with those measures;
(j) adherence to codes of conduct under Article 40 or to mechanisms of certification approved in accordance with Article 42, and 
(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefits obtained or the losses avoided, directly or indirectly, through the infringement".
With respect to paragraph k) of Article 83.2 of the RGPD, the LOPDGDD, Article 76,
"Sanctions and corrective measures", it provides:
 "In accordance with Article 83(2)(k) of Regulation (EU) 2016/679 may also be taken into account:
(a) the continuing nature of the infringement
(b) The link between the activity of the offender and the carrying out of the processing of personal data.
c) The benefits obtained as a result of the commission of the infringement.
(d) The possibility that the conduct of the data subject may have led to the
commission of the offence.
(e) The existence of a post-commission merger process of the infringement, which cannot be attributed to the absorber.
f) Affecting the rights of minors.
(g) To have, where not mandatory, a delegate for the protection of data.
h) The submission by the person responsible or in charge, with a to alternative dispute resolution mechanisms, in those in cases where there is a dispute between them and any interested party".

 In accordance with the above provisions, for the purpose of setting the amount of the penalty of a fine to be imposed on the defendant as the perpetrator of an infringement Article 83.5.a) of the RGPD, are deemed to be concurrent in the present 
The following factors may be considered as aggravating factors:
- The lack of cooperation with the AEPD in order to remedy the infringement and mitigate its effects (Article 83(2)(f) of the GPRS)
- Basic personal identifiers are affected (name, surname, NIF, telephone, correspondence address, object address of the contract, bank account, Email) (article 83.2 g).
The following factor is considered in this case as a mitigating factor:
- Taking into account the annual turnover (Article 83(2)(k) and 76(2)(c)) LOPDGDD).
Therefore, in accordance with the applicable legislation and assessed the criteria of graduation of penalties whose existence has been established, the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: To impose on G.L.P. INSTALACIONES 86, S.L., with NIF B66161126, by an infringement of Article 6.1. of the RGPD, as defined in Article 83.5.a) of the said RGPD, a fine of 60,000 euros (sixty thousand euros).
SECOND: NOTICE this resolution to G.L.P. INSTALACIONES 86, S.L.

THIRD: To warn the sanctioned party that he must make effective the sanction imposed a once this decision becomes enforceable, in accordance with the provisions of Article 98.1.b) of Law 39/2015, of 1 October, on Administrative Procedure Commonwealth of Independent States (hereinafter LPACAP), within the payment period established in art. 68 of the General Regulations on Collection, approved by Royal Decree 939/2005, of 29 July, in relation to Article 62 of Law 58/2003, of 17 December, by means of its payment, indicating the tax identification number of the procedure set out in the heading of this document, in the account
restricted No ES00 0000 0000 0000 0000, open on behalf of the Agency Spanish Data Protection in the bank CAIXABANK, S.A.. Otherwise, it will be collected during the enforcement period.
Once notification has been received and once it has become enforceable if the enforceability date
The deadline for the completion of the registration process is between the 1st and 15th of each month, inclusive.
Voluntary payment will be until the 20th day of the following month or the next business day, and if is between the 16th and the last day of each month, inclusive, the deadline of payment will be made until the 5th of the second following month or immediately thereafter.
In accordance with the provisions of Article 50 of the LOPDGDD, this Resolution will be made public after it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure according to art. 48.6 of the LOPDGDD, and in accordance with the provisions of Article 123 of the LPACAP, the interested parties may lodge, on an optional basis, an appeal for a reversal to the Director of the Spanish Data Protection Agency within a period of a month from the day following notification of this resolution or directly contentious-administrative appeal to the Administrative Chamber of the Audiencia Nacional, in accordance with Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July 1998, regulating Contentious-Administrative Jurisdiction, within two months from the day following notification of this act, as provided for in Article 46(1) of the referred to Law.
Finally, it is pointed out that in accordance with the provisions of Article 90.3 a) of the LPACAP, the final decision may be suspended in administrative proceedings as a precautionary measure if the person concerned indicates his intention to lodge an administrative appeal. If this is the case, the interested party must formally communicate this made by writing to the Spanish Data Protection Agency,
by submitting it through the Agency's Electronic Register [https://sedeagpd.gob.es/sede-electronica-web/], or through one of the other registrations provided for in Article 16.4 of the aforementioned Law 39/2015, of 1 October. Also must send to the Agency the documentation proving the effective intervention
of the contentious-administrative appeal. If the Agency was not aware of the lodging of the contentious-administrative appeal within two months of the day following notification of this resolution, would terminate the precautionary suspension.
Mar Spaña Marti
Director of the Spanish Data Protection Agency